1

I'm trying to set up sending emails with SMTP on my VPS running Ubuntu 18.04. I'm using postfix, nodemailer.

When I send from an address@mydomain.com, to a gmail account, it gets stuck in the gmail spam folder. I got a score of 6.8 on www.mail-tester.com, with these deductions:

-1.274 RDNS_NONE Delivered to internal network by a host with no rDNS This may indicate you do not have a rDNS configured for your hostname or the rDNS does not match your sending IP

-0.896 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) softfail

Your message is not signed with DKIM

I think my TXT record is correct:

"v=spf1 ip4:[removed-server-ip] include:_spf.mail.hostinger.com ~all"

/etc/postfix/main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = [removed-domain-name].com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost.$mydomain, localhost.[removed-domain-name].com, [removed-domain-name].com, [removed-domain-name]$
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all

policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_policy_service unix:private/policyd-spf

nodemailer method:

  "use strict";
  const nodemailer = require("nodemailer");

  let transporter = nodemailer.createTransport({
    sendmail: true,
    newline: 'unix',
    path: '/usr/sbin/sendmail',
    secure: true,
  })

  let info = await transporter.sendMail({
    from: '"[removed-domain-name].com" <no-reply@[removed-domain-name].com>', // sender address
    to: req.body.to, // list of receivers
    subject: "Hello", // Subject line
    text: req.body.message, // plain text body
    html: req.body.message, // html body
  });
Joseph
  • 115
  • 1
  • 4
  • Does this answer your question? [Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?](https://serverfault.com/questions/419407/fighting-spam-what-can-i-do-as-an-email-administrator-domain-owner-or-user) – Gerald Schneider Apr 27 '22 at 13:41
  • @GeraldSchneider, maybe, but honestly I'm a bit lost as to what to try next to fix the issues. I tried: https://serverfault.com/a/1064820 for the rDNS issue (didn't work), and I don't know what else I can do re. the SPF issue (as I thought I'd already sorted that with the TXT record). I'm reading through the answers there but nothing is immediately obvious to me that I should try, do you have any idea? – Joseph Apr 27 '22 at 14:05

1 Answers1

1
  1. Configure your reverse DNS. Add a PTR entry linking your IP to your MX server name

  2. Ensure that myhostname in main.cf is set to your MX server name. This is probably be the cause of your HELO mismatch.

  3. You can set your SPF to "v=spf1 a mx include:_spf.mail.hostinger.com ~all" to automatically accept your MX as senders, but it should be ok with ip.

  4. Register your domain to Google to improve deliverability : https://support.google.com/a/answer/9649569?hl=en

  5. Definitely use DKIM :

opendkim

Install opendkim.

Configure

Edit /etc/opendkim.conf :

  • sv mode to sign and verify incoming emails (you may not need the verify mode)
  • ReportAddress postmaster@example.com
  • KeyTable, SigningTable : files linking the keys to DNS entries
  • InternalHosts : a file containing a list of trusted hosts

Create the keys

mkdir /etc/opendkim/keys/example.com/
cd /etc/opendkim/keys/example.com/
opendkim-genkey -s mail -d example.com
chown opendkim:opendkim mail.*

Parameter -s is called selector, -d is the domain.

Edit /etc/opendkim/SigningTable and add a pair of domain/selector :

*@example.com mail._domainkey.example.com.

Edit /etc/opendkim/KeyTable and add a pair of selector/key :

mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

Edit /etc/opendkim/TrustedHosts and insert

*.example.com
[your local network]

DNS

You need to add your public key into your DNS. You'll find the key in /etc/opendkim/keys/xxx.yy/mail.txt

Create a TXT field :

mail._domainkey.example.com 10800 TXT "v=DKIM1; k=rsa; p=very_long_key"

postfix

You have to make postfix aware about opendkim, to make him sign the keys.

Get the connect method for opendkim in its configuration. Should be something like inet:8891@localhost, and add it as a filter in main.cf :

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Finalize

Restart (eventually enable) opendkim and then postfix. Check the key in your DNS with opendkim-testkey -d example.com -s mail -vvv

Check with mail-tester.com. Check in /var/log/maillog that each sent email add a line DKIM-Signature field added

Hexdump
  • 36
  • 1
  • Thanks @Hexdump, I followed your instructions, but at the last step, I get: ``opendkim-testkey -d [mydomain].com -s mail -vvv opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: checking key 'mail._domainkey.[mydomain].com' opendkim-testkey: 'mail._domainkey.[mydomain].com' record not found`` – Joseph Apr 28 '22 at 08:01
  • Thank you @Hexdump, I now have a perfect 10/10 on mail-tester – Joseph Apr 28 '22 at 12:59